Among other things, data controllers are required to only use data processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR. Here are some aspects you may want to consider when conducting your assessment of G Suite and Google Cloud Platform services.
EXPERT KNOWLEDGE, RELIABILITY, AND RESOURCES
Data Protection Expertise
Google employs security and privacy professionals that include some of the world’s foremost experts in information, application, and network security. This team is tasked with maintaining the company’s defense systems, developing security review processes, building security infrastructure, and implementing Google’s security policies. Google also employs an extensive team of lawyers, regulatory compliance experts, and public policy specialists who look after privacy and security compliance for Google. These teams engage with customers, industry stakeholders, and supervisory authorities to shape our G Suite and Google Cloud Platform services in a manner that helps customers meet their compliance needs.
DATA PROTECTION COMMITMENTS
Data Processing Agreements
Google’s data processing agreements for G Suite and Google Cloud Platform clearly articulate their privacy commitments to its customers. Google have evolved these terms over the years based on feedback from its customers and regulators. More recently, they have specifically updated these terms to reflect the GDPR, and have made these updated available well in advance of the entry into force of the GDPR to facilitate their customers’ compliance assessment and GDPR readiness when using Google Cloud services. Google Cloud customers can enter into these updated data processing terms now via the opt in process described here for the G Suite Data Processing Amendment and here for the GCP Data Processing and Security Terms, and the updated terms will take effect from 25 May 2018, when the GDPR comes into force.
Processing According to Instructions
Any data that a customer and its users put into our systems will only be processed in accordance with the customer’s instructions, as described in Google’s current as well as their GDPR-updated data processing agreements.
Personnel Confidentiality Commitments
All Google employees are required to sign a confidentiality agreement and complete mandatory confidentiality and privacy trainings, as well as a Code of Conduct training. Google’s Code of Conduct specifically addresses responsibilities and expected behavior with respect to the protection of information.
USE OF SUBPROCESSORS
Google Group companies directly conduct the majority of data processing activities required to provide the G Suite and Google Cloud Platform services. However, they do engage some third-party vendors to assist in supporting these services. Each vendor goes through a rigorous selection process to ensure it has the required technical expertise and can deliver the appropriate level of security and privacy. Google make information available about Google Group subprocessors supporting G Suite and Google Cloud Platform services, as well as third-party subprocessors involved in those services, and they include commitments relating to subprocessors in its current and updated data processing agreements.
SECURITY OF THE SERVICES
According to the GDPR, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Google operates global infrastructure designed to provide state-of-the-art security through the entire information processing lifecycle. This infrastructure is built to provide secure deployment of services, secure storage of data with end-user privacy safeguards, secure communications between services, secure and private communication with customers over the Internet, and safe operation by administrators. G Suite and Google Cloud Platform run on this infrastructure. Google designed the security of its infrastructure in layers that build upon one another, from the physical security of data centers, to the security protections of its hardware and software, to the processes they use to support operational security. This layered protection creates a strong security foundation for everything they do. A detailed discussion of the Infrastructure Security can be found in the Google Infrastructure Security Design Overview Whitepaper.
NOTE: Please bear in mind that nothing in this article is intended to provide you with, or should be used as a substitute for, legal advice. I recommend you seek independent legal advice to determine your appropriate national or lead data protection authority.